CrowdStrike warns of a spike in assaults aimed toward infecting macOS customers with a variant of the notorious Atomic macOS Stealer (AMOS) data stealer.
Between June and August, the cybercrime group Cookie Spider, which operates the AMOS malware-as-a-service (MaaS) enterprise, used malvertising to direct victims to fraudulent assist web sites and trick them into putting in the malware.
The marketing campaign, CrowdStrike says, focused customers who have been trying to find options to frequent macOS points, and relied on selling fraudulent commercials for web sites the place victims have been instructed to execute a malicious command on their techniques.
The command would fetch a Bash script from a distant server, to seize the sufferer’s password and obtain an executable from one other distant location.
Dubbed SHAMOS, the payload is a variant of AMOS that accommodates anti-VM checks to forestall execution in a sandboxed setting, and which might carry out reconnaissance and information assortment duties.
The malware searches the system for recordsdata that comprise credentials, information from Keychain, AppleNotes, browsers, and identified cryptocurrency wallets, and makes an attempt to exfiltrate them to a distant server, packed in a ZIP archive.
Moreover, SHAMOS can obtain and execute payloads, together with a botnet module and a faux Ledger Reside pockets software.
The malvertising marketing campaign focused customers in Canada, China, Colombia, Italy, Japan, Mexico, the US, the UK, and different international locations, however was not served to Russian customers.Commercial. Scroll to proceed studying.
CrowdStrike’s investigation revealed that the cybercriminals probably impersonated a reliable Australia-based electronics retailer of their Google Promoting profile.
“This marketing campaign underscores the recognition of malicious one-line set up instructions amongst eCrime actors. This method permits them to bypass Gatekeeper safety checks and set up the Mach-O executable immediately onto sufferer gadgets,” CrowdStrike notes.
Associated: Homebrew macOS Customers Focused With Info Stealer Malware
Associated: Excessive-Worth NPM Builders Compromised in New Phishing Marketing campaign
Associated: North Korean Hackers Goal macOS Customers
Associated: Digium Telephones Focused in Cybercrime Marketing campaign Geared toward VoIP Methods
